Web UI
Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.
Warning
Press Ctrl+C to terminate the dev server that is running at
http://127.0.0.1:8200
(if any) before proceeding.
Server Configuration
Note
When you operate Vault in development mode the UI is automatically enabled, but when Vault is running outside of development mode, the UI is not activated by default.
To activate the UI, set the ui
configuration option in the Vault
server configuration.
The UI runs on the same port as the Vault listener. As such, you must configure
at least one listener
stanza in order to access the UI.
Example:
In this case, the UI is accessible at the following URL from any machine on the
subnet (provided no network firewalls are in place): https://10.0.1.35:8200/ui
It is also accessible at any DNS entry that resolves to that IP address, such as
the Consul service address (if using Consul):
https://vault.service.consul:8200/ui
Note
When you start the Vault server in dev mode, Vault UI is automatically enabled and ready to use.
Start Web UI
Create server configuration file named
config.hcl
.The
raft
storage backend requires the filesystem path./vault/data
.Although the listener stanza disables TLS (
tls_disable = "true"
) for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.Create the
vault/data
directory for the storage backend.Start a Vault server with server configuration file named
config.hcl
.Example output:
Launch a web browser, and enter
http://127.0.0.1:8200/ui
in the address.The Vault server is uninitialized and sealed. Before continuing, the server's storage backend requires starting a cluster or joining a cluster.
Select Create a new Raft cluster and click Next.
Enter
5
in the Key shares and3
in the Key threshold text fields.Click Initialize.
When the unseal keys are presented, scroll down to the bottom and select Download key. Save the generated unseal keys file to your computer.
The unseal process requires these keys and the access requires the root token.
Click Continue to Unseal to proceed.
Open the downloaded file.
Example key file:
Copy one of the
keys
(notkeys_base64
) and enter it in the Master Key Portion field. Click Unseal to proceed.The Unseal status shows
1/3 keys provided
.Enter another key and click Unseal.
The Unseal status shows
2/3 keys provided
.Enter another key and click Unseal.
After 3 out of 5 unseal keys are entered, Vault is unsealed and is ready to operate.
Copy the
root_token
and enter its value in the Token field. Click Sign in.